Antivirus Bypass Using Metasploit

I was recently performing an internal penetration test and, as usual, we discovered several vulnerabilities that could easily be exploited, ranging from easily guessed database passwords to missing patches.  Now as many of you probably do we turned to Metasploit to assist in the exploitation phase.  This is where we ran into a problem that many of you probably also encounter, the interference of the antivirus software.   The server we were attempting to exploit was vulnerable, but the Metasploit payload was getting detected and blocked by the antivirus software, in this case CA eTrust.  Much of this post may be old news to many of you, and there is probably a more efficient process, but I wanted to illustrate the method we used in order to obtain a meterpreter shell on the target system. In this example we discovered a Microsoft SQL Server with an easily guessed sa password.  We attempted to use Metasploit and the mssql_payload exploit in order to obtain a shell on the system.  However, as you can see in the figure below the exploit did not work.

Just to verify that the password was correct we used the mssql_hashdump utility to extract the database passwords from the system.

Success, so we now know the password was correct and the exploit should have worked.  It was then that I began to suspect antivirus may be the culprit.  Well, there is more than one way to compromise a system.  Let us just use the mssql_exec  feature in Metasploit to issue commands on the server utilizing xp_cmdshell.  With this we can easily create a user…